17 Mistakes Microsoft made in the Xbox Security System Microsoft
118
17 Mistakes Microsoft made in the Xbox Security System Michael Steil http://www.xbox-linux.org / Microsoft 29.12.2005
Transcript of 17 Mistakes Microsoft made in the Xbox Security System Microsoft
17 Mistakes Microsoft made in the Xbox Security System
Michael Steilhttp://www.xbox-linux.org/
Microsoft
29.12.2005
Xbox SecurityDecember 2002 (19C3)
Andy Green, Franz Lehner, Milosch Meriac, Michael SteilXbox Hacking & Xbox Linux
December 2003 (20C3)Andrew “bunnie” Huang
Xbox Hardware HackingStefan Esser, Franz Lehner, David Jilli,
Franz Lehner, Melissa Mears, Michael SteilXbox Software Hacking
+
+ August 2005additional research...
=
IntroductionThe Xbox is a gaming console, which has been
introduced by Microsoft Corporation in late 2001
and competed with the Sony Playstation 2 and the
Nintendo GameCube. Microsoft wanted to prevent
the Xbox from being used with copied games, un-
official applications and alternative operating sys-
tems, and therefore designed and implemented a
security system for this purpose.
This article is about the security system of the
Xbox and the mistakes Microsoft made. It will not
explain basic concepts like buffer exploits, and it
will not explain how to construct an effective secu-
rity system, but it will explain how not to do it: This
article is about how easy it is to make terrible mis-
takes and how easily people seem to overestimate
their skills. So this article is also about how to avoid
the most common mistakes.
For every security concept, this article will first
explain the design from Microsoft's perspective, and
then describe the hackers' efforts to break the secu-
rity. If the reader finds the mistakes in the design,
this proves that Microsoft has weak developers. If,
on the other hand, the reader doesn't find the mis-
takes, this proves that constructing a security system
is indeed hard.
The Xbox HardwareBecause Microsoft had a very tight time frame for
the development of the Xbox, they used off-the-
shelf PC hardware and their Windows and DirectX
technologies as the basis of the console. The Xbox
consists of a Pentium III Celeron mobile 733 MHz
CPU, 64 MB of RAM, a GeForce 3 MX with TV
out, a 10 GB IDE hard disk, an IDE DVD drive,
Fast Ethernet, as well as USB for the gamepads. It
runs a simplified Windows 2000 kernel, and the
games include adapted versions of Win32, libc and
DirectX statically linked to them.
Although this sounds a lot more like a PC than, for
example, a GameCube with its PowerPC processor,
custom optical drive and custom gamepad connec-
tors, it is important to point out that, from a hard-
ware point of view, the Xbox shares all properties of
a PC: It has LPC, PCI and AGP busses, it has IDE
drives, it has a Northbridge and a Southbridge, and
it includes all the legacy PC features such as the
“PIC” interrupt controller, the “PIT” timer and the
A20 gate. nVidia sold a slightly modified South-
bridge and a Northbridge with a another graphics
core embedded for the PC market as the “nForce”
chipset between 2001 and 2002.
Motivation for the Security SystemThe Xbox being a PC, it should be trivial to install
Linux on it in order to have a cheap and, for that
time, powerful PC. Even today, a small and silent
733 MHz PC with TV connectivity for 149 USD/
EUR is still attractive. But this is not the only thing
Microsoft wanted to prevent. There are three uses
that should not have been possible:
•Linux: The hardware is subsidized and money is
gained with the games, therefore people should not
be able to buy an Xbox without the intent to buy
any games. Microsoft apparently feels that allow-
ing the Xbox to be used as a (Linux) computer
would be too expensive for them.
•Homebrew/Unlicensed: Microsoft wants the
software monopoly on the Xbox platform. Nobody
should be able to publish unlicensed software,
because Microsoft wants to gain money with the
games to amortize the hardware losses, and be-
cause they do not want anyone to release non-
Internet Explorer browsers and non-Windows Me-
dia Player multimedia software.
•Copies: Obviously it is important to Microsoft that
it is not possible to run copied games on the Xbox.
Microsoft decided to design a single security sys-
tem that was supposed to make Linux, homebrew/
unlicensed software and copies impossible. The idea
to accomplish this was by simply locking out all
software that is either not on the intended (original)
medium or not by Microsoft.
17 Mistakes Microsoft Made in the
Xbox Security SystemMichael Steil <[email protected]>
Xbox Linux Project http://www.xbox-linux.org/
October 2005
conclusionsummary
+ Andrew “bunnie” HuangHacking the Xbox
Idea of this Talk
Microsoft’s view
The mistakes are obvious?
yes no
Schneier is right it’s not that easy!
You are Microsoft!
Home Entertainment
Discman, Mini-DiscWindows Media
Audio
DVD Recorder Windows Media
Playstation
Seamus Blackley
We need a video game console in less than 2 years!
• PC hardware
• Windows 2000
• DirectX libs
• smaller case
A video game console
fast and cheap!
What is the Xbox?• Celeron III 733, 64 MB RAM
• nVidia GeForce 3½, TV out
• 10 GB HD, DVD-ROM
• Fast Ethernet, USB
• stripped-down Windows 2000 system
The Xbox is a PC!
What makes a PC?
• x86 CPU?
• VGA-style GPU?
• PCI, AGP, IDE, USB?
• PIC (1982 Interrupt Controller)
• PIT (1982 Timer)
• A20 gate (1984 hack by IBM)
Security• Trivial to run Linux?
• No, security system!
Threat Effect Reason
Linux Xbox as a computer Xbox sold at loss
Homebrew media player, browser software monopoly
Copied Games piracy obvious
Unlicensed Games anyone can make games missing royalties
address 4 threats with 1 security system
Only run authentic code
• only pass execution to trusted code
• “Chain of Trust”
“Trusted Computing” by Benjamin Stephan and Lutz Vogelhttp://www.lafkon.net/tc/
“Trusted Computing”by Benjamin Stephan and Lutz Vogel
http://www.lafkon.net/tc/
Chain of Trust
System Startup GameHard Disk
DVD
Windowsin ROM
check check
CPUGPU
NorthbridgeR
AM
RAM
South-bridge
Flas
h
RAM Flash
0 0x4000000 0xFFFC0000 0xFFFFFFFF
(...)
x86 Startup
0xFFFFFFF0
FFF0 lgdt offset gdtFFF4 mov cr0, eaxFFF6 or eax, 1FFF8 mov eax, cr0FFFA jmp 0xFFFC0000
RAM Flash
0 0x4000000 0xFFFC0000 0xFFFFFFFF
(...)
x86 Startup
0xFFFFFFF0
FFF0 lgdt offset gdtFFF4 mov cr0, eaxFFF6 or eax, 1FFF8 mov eax, cr0FFFA jmp 0xFFFC0000
modifiedFlash
CPUGPU
NorthbridgeR
AM
RAM
South-bridge
Flas
h
override the Flash chip replace the Flash chip
overwrite the Flash chip
we must not start from Flash!
CPUGPU
NorthbridgeR
AM
RAM
South-bridge
Flas
h
• use ROM instead of Flash
• more expensive
• ROM can still be replaced
Possibility 1
ROM
CPUGPU
NorthbridgeR
AM
RAM
South-bridge
• integrate ROM into some other chip
• very effective
• very expensive
Possibility 2
ROM
CPUGPU
NorthbridgeR
AM
RAM
South-bridge
• integrate small ROM into some other chip
• make ROM verify Flash
• effective and cheap
Possibility 3
ROM
Flas
h
RAM Flash
0 0x4000000 0xFFFC0000 0xFFFFFFFF
(...)
Secret ROM
0xFFFFFFF0
secr
et R
OM
• verify Flash integrity
• if okay, pass control to code in Flash
512 bytes
CPUGPU
NorthbridgeR
AM
RAM
South-bridge
• CPU is expensive
• Southbridge is great
• but data will travel over a bus
Where to put the ROM
ROM
Flas
h
Flash Verification
• Check SHA-1/RSA signature
• great, but won’t fit in 512 bytes
• Check SHA-1 hash
• we cannot update the Flash
Kernel
0xFFFC0000 0xFFFFFFFF
secr
et R
OM
2bl
Kernel
hash
RSASolution:
Secret ROM
• verify 2bl integrity (hash)
• pass control to 2bl
• decrypt 2bl
• initialize RAM (stress test)
512 bytes???
• read/write memory
• ports
• PCI config
• and/or
• if-then
• end
struct { char opcode; int op1; int op2;} *p;int acc;
p = 0xFFF00080;
while(1) { switch(p->opcode) { case 2: acc = *((int*)p->op1); break; case 3: *((int*)p->op1) = p->op2; break; case 4: outl(p->op1, 0x0CF8); outl(p->op2, 0x0CFC); break; case 5: ... case 0xEE: goto end; } p++;}end:
Virtual Machine
“Xcodes”
Memory InitializationPOKEPCI MEM_CNTRL, 200POKE 0, 0xAAAAAAAAACC = PEEK(0)IF ACC = 0xAAAAAAAA GOTO ENDPOKEPCI MEM_CNTRL, 195POKE 0, 0xAAAAAAAAACC = PEEK(0)IF ACC = 0xAAAAAAAA GOTO ENDPOKEPCI MEM_CNTRL, 190...
VM Threat
• secret ROM may be revealed
• people may know how to write Xcodes
• Xcodes are not verified for integrity
• people may hack the Xcode interpreter
Attack 1Dump Secret ROM
• make sure the Xcodes cannot access the secret ROM
• mask high addresses
A = PEEK(0xFFFFFE00)OUT 0xC000, AA = PEEK(0xFFFFFE04)OUT 0xC000, A
and ebx, 0FFFFFFFh ; clear upper 4 bits mov edi, [ebx] ; read from memory jmp next_instruction
Attack 2Turn off the Secret ROM
• This code will turn of the secret ROM
• We will fall down to Flash
• Check for this code!
POKEPCI(80000880h, 2)
cmp ebx, 80000880h ; MCPX disable? jnz short not_mcpx_disable ; no and ecx, not 2 ; clear bit 1not_mcpx_disable:
Flash
secr
et R
OM
Decryption and Hashing
k1 k2 k3 k4 k5 k6 ...
c1 c2 c3 c5 c6c4
Seed
secret key
feed
back
...xor
xor
xor
xor
xor
xor
= = = = = =
p1 p2 p3 k1 p5 p6p4 ...
c4’
p5’ p6’
k5 k6
p4’
check last few bytes of decrypted data - we get a hash for free
pn-1’ pn’
Panic Code
• what if the Flash check failed?
• panic!
• blink LED
• halt CPU
• disable secret ROM
someone could attach special hardwareto dump the secret ROM after a panic
How to Panic
• Turn off CPU, then secret ROM
• who can turn off the ROM??
• Turn off secret ROM, then the CPU
• where is the code to halt the CPU??
or: how to crash a car when the motor is off
Drive againstthe Top of Memory
mov
eax
, 800
0088
0h
mov
dx,
0C
F8h
out
dx, e
ax
add
dl, 4
mov
al,
2
out
dx, a
l
secr
et R
OM
0xFFFFFFF1 0xFFFFFFF6 0xFFFFFFF90xFFFFFFFB 0xFFFFFFFC 0xFFFFFFFE
doublefault
CPUhalted
Summary
• secret ROM inside Southbridge
• cannot be replaced/overridden/overwritten
• very hard to dump
• initializes RAM using secure Xcodes
• decrypts and hashes “2bl” in Flash
• panics if something goes wrong
You are a hacker!
Extractingthe Secret ROM
• Andrew “bunnie” Huang
• dumped the Flash ROM
• put it online
• got a call from Microsoft’s lawyers
• removed it from his website
Analysis
• bunnie
• looked at where an x86 would start
• what did he see?
• zeros?
Ouch!
• the upper 512 bytes of Flash contain:
• a virtual machine
• RC5 decryption/hash code
• panic code
when changing this code in Flash, nothing happened
it turned out this was an old version of the secret ROM
this code cannot successfully decrypt/verify “2bl”
The Secret ROM
• bunnie
• found out the CPU didn’t boot off Flash
• figured there had to be a secret ROM
• sniffed HyperTransport
• had the 512 bytes of secret code
virtual machine, RC4 decryption, panic code
but 2bl is hashed - what can we do?
Decryption and Hashing
k1 k2 k3 k4 k5 k6 ...
c1 c2 c3 c5 c6c4
Seed
secret key
feed
back
...xor
xor
xor
xor
xor
xor
= = = = = =
p1 p2 p3 k1 p5 p6p4 ...
RC5
c4’
p4’
RC4 can not be used as a hash!
pn-1’ pn’
Decryption and Hashing
k1 k2 k3 k4 k5 k6 ...
c1 c2 c3 c5 c6c4
Seed
secret key
feed
back
...xor
xor
xor
xor
xor
xor
= = = = = =
p1 p2 p3 k1 p5 p6p4 ...
RC4
c4’
p4’
RC4 can not be used as a hash!
pn-1’ pn’
The Missing Hash
• The RC4 key is in the secret ROM
• So we have the secret RC4 key...
• There is no effective hash
• We can put our (encrypted) code where “2bl” should be
Modchips• First generation
• disable onboard ROM
• add 31 wire parallel ROM
• Second generation
• pretend the onboard ROM is empty (ground data line D0)
• Xbox will boot off external LPC ROM(9 wires!)
Xbox Linux Bootloader
• ship the RC4 key with the build tools??
• we must find a better way
• let’s look at the secret ROM code...
Panic Code Revisitedm
ov e
ax, 8
0000
880h
mov
dx,
0C
F8h
out
dx, e
ax
add
dl, 4
mov
al,
2
out
dx, a
l
secr
et R
OM
0xFFFFFFF1 0xFFFFFFF6 0xFFFFFFF90xFFFFFFFB 0xFFFFFFFC 0xFFFFFFFE
doublefault
CPUhalted?
The Earth is a Sphere!
0x0000000 0xFFFFFFFF0x8000000
0x0000000
0x8000000
0xFFFFFFFF
Memory is a Donutm
ov e
ax, 8
0000
880h
mov
dx,
0C
F8h
out
dx, e
ax
add
dl, 4
mov
al,
2
out
dx, a
l
secr
et R
OM
0xFFFFFFF1 0xFFFFFFF6 0xFFFFFFF90xFFFFFFFB 0xFFFFFFFC 0xFFFFFFFE
? ?
0x000000000x00000000
Visor Bug
• “visor” thought:
• perhaps execution rolls over to 0x00000000
• put code at 0x00000000
• let “2bl” check fail
how do we put code at 0x00000000 (RAM)?
Xcodes!
POKE 0x00000000, 0x001000B8POKE 0x00000004, 0x90E0FFFF
00000000 mov eax, 0xFF00100000000004 jmp eax
Wrapping Around...m
ov e
ax, 8
0000
880h
mov
dx,
0C
F8h
out
dx, e
ax
add
dl, 4
mov
al,
2
out
dx, a
l
secr
et R
OM
0xFFFFFFF1 0xFFFFFFF6 0xFFFFFFF90xFFFFFFFB 0xFFFFFFFC 0xFFFFFFFE
mov
eax
, 0xF
F001
000
jmp
eax
0x000000000x00000000
Wrapping Around...m
ov e
ax, 8
0000
880h
mov
dx,
0C
F8h
out
dx, e
ax
add
dl, 4
mov
al,
2
out
dx, a
l
secr
et R
OM
0xFFFFFFF1 0xFFFFFFF6 0xFFFFFFF90xFFFFFFFB 0xFFFFFFFC 0xFFFFFFFE
mov
eax
, 0xF
F001
000
jmp
eax
0x000000000x00000000
yes, this works!yes, this works!
why???why???
A History Lesson
• The 8086 starts off at 0xFFFF0
• Many other CPUs start off at 0
• The 8086 could be used in a computer with ROM at 0
A History Lesson
• Unconnected addresses will read back FF
• FF-FF-... behaves like NOP
• the 8086 can “NOP” its way through 0xFFFF0-0xFFFFF
• ...and continue execution at 0 - by design
• The Pentium III still does it like this
but this does not explain why Microsoft did it wrong...
Microsoft’s Mistake
• AMD CPUs don’t have this behaviour
• They are specified to halt on a
FFFFFFFF/00000000 transition
• All Xbox prototypes had AMD CPUs
• They switched to Intel
“in the last minute”...
“mist” HackPOKEPCI(80000880h, 2)
cmp ebx, 80000880h ; MCPX disable? jnz short not_mcpx_disable ; no and ecx, not 2 ; clear bit 1not_mcpx_disable:
Flash
secr
et R
OM
Bits Description0-7 reg8-10 func11-15 device16-23 bus24-30 reserved
31 must be 1
“mist” HackPOKEPCI(80000880h, 2)
cmp ebx, 80000880h ; MCPX disable? jnz short not_mcpx_disable ; no and ecx, not 2 ; clear bit 1not_mcpx_disable:
Flash
secr
et R
OM
Bits Description0-7 reg8-10 func11-15 device16-23 bus24-30 reserved
31 must be 1
FF
Landing
jmp
0xFF
FC00
00no
pno
pno
pno
pno
pno
pno
pno
pno
pno
pno
pno
pno
pno
pno
pno
p
landing zone
Flash
secret ROM
“mist” II
OUTB(0xcf8), 0x80OUTB(0xcf9), 0x08OUTB(0xcfa), 0x00OUTB(0xcfb), 0x80OUTB(0xcfc), 0x02
Microsoft reacts
• Just after bunnie found out that RC4 is no hash...
• ... Microsoft reacted.
How did Microsoft react to finding out that RC4can not be used as a hash?
Code audit
Wait for more attacks
Fix the hash
Do nothing
How did Microsoft react to finding out that RC4can not be used as a hash?
Code audit
Wait for more attacks
Fix the hash
Do nothing
Fix the hash
Reaction
• RC4 is no hash
• RC5 is no option
• add a tiny hash
• many encryption algorithms can be used as hashes
Reaction
• RC4 is no hash
• RC5 is no option
• add a tiny hash
• many encryption algorithms can be used as hashes
tiny encryption algorithm
Reaction
• RC4 is no hash
• RC5 is no option
• add a tiny hash
• many encryption algorithms can be used as hashes
tiny encryption algorithm
Fix the Secret ROM
• keep RC4
• add a TEA hash (really tiny)
• update the RC4 key
• trash thousands of Southbridge chips
And that we will be taking an inventory write off in Q2 related to the amount of Xbox MCPs that were made obsolete when MSFT transitioned to a new security code (by way of the MIT hacker) [...].
Hacking it again
• Extracting the new secret ROM should be trivial
• Just let bunnie dump it again
But there is an easier way...
Hacking it again
• Extracting the new secret ROM should be trivial
• Just let bunnie dump it again
But there is an easier way...
A20#
0 0xFFFFF1024 KB
0 0xFFFF
64 KB
A History Lesson II
8080
8086
16 bit registers - addresses 0 up to 0xFFFF (64 KB)solution: segments of 64 KB each
0
64 KB
16 32 48 64
64 KB64 KB64 KB
Segment 0x00000x00010x00020x0003
Effective Address = Segment * 16 + Offset
0xFFFFF
64 KB
Segment 0xF000
0xF0000
64 KB
0xF001
64 KB
0xFFFFFFFF:0010 = 100000 = 00000 FFFF:FFFF = 10FFF0 = 0FFF0
the 286 is incompatible!
IBM’s Hack
• The 8086 has address lines A0 to A19
• The 286 has an address line A20
• Addresses >= 1 MB won’t wrap around
• IBM had to hack around this
• Option: A20 is always 0
286 Keyboard Controller
286
RAM
020
A20#
• The “A20 Gate” can pull A20 to 0
• This emulates the 8086 wraparound
The A20 Gate
The A20 Gate
• Open A20# - you can use memory > 1 MB using Segment:Offset
• MS-DOS calls this “High Memory”
• Close A20# - simulate wraparound
• all addresses are “AND 0xFFEFFFFF”
Legacy Functionality
• Current x86 CPUs still have this functionality
• It is now a pin of the CPU
A20 Hack Howto
• Connect A20# to GND
• All addresses are “AND 0xFEFFFFFF”
• The CPU starts at...
0xFFFFFFF0E
RAM Flash
0 0x4000000 0xFFFC0000 0xFFFFFFFF
(...)
0xFFFFFFF0
secr
et R
OM
0xFEFFFFFFso we connected a modchip and put code at
0xFEFFFFF to dump the secret ROM to the I2C
FlashFlash
where the round function F is
Fi(z, k, k!) = (ShiftLeft(z, 4) + k)! (z + Ci)! (ShiftRight(z, 5) + k!)
Consider complementing the most significant bits of K0 and K1. Note thatflipping the most significant bit propagates through both the addition and XORoperations, and flipping it twice cancels the modification. Therefore, modifyingthe 128-bit master key in this way does not e!ect the encryption process. Wecan also complement the most significant bits of K2,K3 without any e!ect. Thismeans that each TEA key has 3 other equivalent keys. In particular, it is easyto construct collisions for TEA when used in a Davies-Meyer hashing mode[Win84].
2.6 Attacks on One-Wayness
A key schedule is one-way if, given several round subkeys, it is infeasible foran attacker to gain any new information about the master key or about otherunknown round subkeys. For instance, recovering a few round subkeys allows oneto recover most of the master key in the DES key schedule; Biham and Shamirexploited this to optimize their di!erential attack on DES [BS93b]. Furthermore,it may be easier to find weak keys and related keys for key schedules which arenot one-way.
3 Introduction to Related-Key Cryptanalysis
A related-key attack is one where the attacker learns the encryption of certainplaintext not only under the original (unknown) key K, but also under somederived keys K ! = f(K). In a chosen-related-key attack, the attacker specifieshow the key is to be changed; known-related-key attacks are those where the keydi!erence is known but cannot be chosen by the attacker. We emphasize thatthe attacker knows or chooses the relationship between keys, but not the actualkey values.
3.1 Overview of General Techniques
The simplest related-key attack treats the cipher as a black box. Winternitzand Hellman show that by obtaining the encryption of a single chosen plaintextunder 2n chosen keys, n " k, one may recover the key values with 2k"n o"inetrial encryptions, if the cipher uses k-bit keys [WH87]. This attack easily extendsto a probabilistic known-key attack with similar complexities, and shows thatany cipher has strength of at most 2k/2 against the naive black box attack, ifrelated-key queries are not much more expensive than chosen-plaintext queries.
Biham introduced a form of related-key cryptanalysis of product ciphersbased on rotating the round subkeys [Bih94]. Grossman and Tuckerman have de-scribed an attack on Feistel ciphers with identical subkeys in each round [GT78].
4
John Kelsey, Bruce Schneier, and David Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. Lecture Notes in Computer Science,
1109: 237–251, 1996.
TEA
We could easily change a JMP to jump to our code.
XX
XX
XX
X
“mist”
Flash
secr
et R
OM
Flash
secr
et R
OM
old
new
“visor”• The FFFFFFFF/00000000 wraparound trick
still works.
• Microsoft acted too quickly.
• They should have
• waited 2 months
• done an effective code audit
• So there is no need for the attack against TEA...
Today
• Microsoft did not trash Southbridge chips again.
• latest revision
• real ROM
• integrated into PAL/NTSC encoder
LPC override still possible - same Southbridge!
Non-hardware Attacks
System Startup GameHard Disk
DVD
Windowsin ROM
check checkhacked!looks pretty secure...
Data
no check!
we can try standard buffer exploit methods
Game exploits
• What data do games load?
• Graphics, audio, video
• cannot be altered, games don’t run from DVD-R
• Savegames
• stored on hard disk or USB storage (!)
Savegame Exploits
• David Jilli tried games alphabetically
• What’s the first game on the alphabet?
Savegame Exploit Howto
• “dd” a hacked savegame on a USB stick
• load the savegame
How is that possible??
• After a game exploit - aren’t we in user mode?
no, all games run in kernel mode - we have full control
Problem
• We must run the game every time to boot Linux
• But there is an application on the hard disk...
Xbox Dashboard
• loads
• audio
• 3D meshes
• fonts
Xbox Dashboard
• checksums
• audio
• 3D meshes
•
there is a vulnerability in the font handler
Complete HOWTO• “dd” a savegame to a USB stick
• load the savegame
• a script installs the hacked fonts
• every time you turn on the Xbox, you get the hacked Dashboard
• you can run Linux from the menu - or games
Chain of Mistakes
• USB storage as memory cards
• games in kernel mode
• game exploit
• no font checksum
• font exploit
and there’s another integer exploit in the music playlist handler...
The Fixing Odyssey1. Microsoft ships fixed version of Dashboard
2. Hackers downgrade to old dashboard (“dd”)
3. Microsoft blacklists old dashboard
4. “xonlinedash.xbe”: same bug, not blacklisted
5. Microsoft blacklists “xonlinedash.xbe”
6. “dashupdate.xbe” on every Xbox Live game DVD: same bug, not blacklisted
7. Microsoft can’t blacklist this one
old games must run on every Xbox
Today
• You can
• permanently mod an Xbox
• to run anything (and games)
• without opening it
The 17 Mistakes
• 8 design mistakes
• 6 implementation mistakes
• 3 policy mistakes
these are mistake “classes”
several of them have been made more than once
I. Design
Security vs. Money
• There is no such thing as “more secure” or “less secure”.
• Either security is effective or it isn’t.
• There is no sensible compromise.
• Do spend money on security to avoid losses on an ineffective security system!
#1
in-system programming
of Flash
cheap & faulty RAM
chips
secret ROM in
Southbridge
no second Southbridge
update
Security vs. Speed
• Don’t trade security for speed.
• Don’t be “10%” faster, but “less secure”.
• “10%” is nothing - “200%” would be!
#2
all games run in kernel
mode
Combination of Weaknesses
• Be aware that a combination of vulnerabilities can lead to a successful attack.
• Don’t add another barrier in front of a potentially vulnerable component.
• Instead, fix the component.
#3
007 + Dashboard =
Linux
Hackers’ Resources• Don’t underestimate hackers’ resources:
• access to hardware from work
• access to hardware from university
• commercial hackers
• “This would be too expensive/too much work to hack” is a very misleading idea.
#4
MIT’s “bunnie” sniffs
HyperTransport
Barriers and Obstacles• Don’t make something “harder for hackers”.
• Instead, make it “impossible for hackers”.
• Obstacles never slow down hacking significantly.
• You might be mislead into thinking your security system is better.
• Direct these resources into real “barriers” instead.
#5
savegames must be signed
hard disk ATA-password-protected
hide the secret ROM
games not readable in PC-DVD
Hacker Groups
• Don’t use one security system against all attackers.
• Otherwise groups with different goals will unite.
• Instead, find out who your enemies are and what they want, and handle them accordingly.
#6
run Linuxrun homebrew
run copies
Security by Obscurity
• ...does not work.
• But well-proven algorithms do work (SHA-1, RSA, ...)
• ...if used correctly.
#7
hide secret ROM
encrypt Flash contents
hide DVD contents
hide hard disk Contents
Fixes• Don’t release “quick” fixes:
• Fixes may be flawed.
• More holes tend to be found soon after that.
• Instead, audit the complete security system again, making use of that new knowledge
• Follow hackers’ progess for some more time
#8
secret ROM hash function
Dashboard font bug odyssey
II. Implementation
Data Sheets
• Read data sheets.
• Don’t just hack around, don’t assume anything.
• Be very careful with components that have legacy functionality.
#9
A20# vulnerability
Intel’s “visor” wraparound
Literature
• Read standard literature.
• For crypto, that’s at least Schneier.
• (Hint for post-2004: Read all external links of the Wikipedia article on the topic)
#10
RC4 as a hash
TEA as a hash
Pros
• Get experienced professionals.
• Your engineers must have a background on security systems.
• Don’t get students on internships.
#11
implementation of secret ROM
Completeness
• Check whether your code catches all cases.
• Instead, your work has the very opposite effect: It gives hints to attackers.
#12
secret ROM turnoff check
hash everything but fonts
Leftovers
• Look at the final product from the perspective of a hacker.
• Hexdump and disassemble your final builds.
#13
old version of secret ROM
in Flash
Final Test
• Test your security system (again) when you have all the final components in place.
• Even small changes can break everything else - especially security.
#14
Switch from AMD to Intel
Switch from RC5 to RC4
III. Policies
Source
• Keep your source safe.
• Find engineers you can trust.
#15
leaked Xbox source code
Many People
• Have many people look at your design and your implementation.
• Find engineers you can trust instead of preventing them of seeing the source.
#16
obviously weak QA on many parts
Talk
• Know your “enemy” - and talk to them!
• “Not talking to terrorists” is stupid.
• They are not your enemy by definition - they just want to reach their goals.
• Compromises are a good thing.
#17
don’t talk about font
exploit
don’t talk about 007
exploit
Summary of the Xbox “Security System”
• broken by design
• broken by implementation
• broken by policies
• broken.
IntroductionThe Xbox is a gaming console, which has been
introduced by Microsoft Corporation in late 2001
and competed with the Sony Playstation 2 and the
Nintendo GameCube. Microsoft wanted to prevent
the Xbox from being used with copied games, un-
official applications and alternative operating sys-
tems, and therefore designed and implemented a
security system for this purpose.
This article is about the security system of the
Xbox and the mistakes Microsoft made. It will not
explain basic concepts like buffer exploits, and it
will not explain how to construct an effective secu-
rity system, but it will explain how not to do it: This
article is about how easy it is to make terrible mis-
takes and how easily people seem to overestimate
their skills. So this article is also about how to avoid
the most common mistakes.
For every security concept, this article will first
explain the design from Microsoft's perspective, and
then describe the hackers' efforts to break the secu-
rity. If the reader finds the mistakes in the design,
this proves that Microsoft has weak developers. If,
on the other hand, the reader doesn't find the mis-
takes, this proves that constructing a security system
is indeed hard.
The Xbox HardwareBecause Microsoft had a very tight time frame for
the development of the Xbox, they used off-the-
shelf PC hardware and their Windows and DirectX
technologies as the basis of the console. The Xbox
consists of a Pentium III Celeron mobile 733 MHz
CPU, 64 MB of RAM, a GeForce 3 MX with TV
out, a 10 GB IDE hard disk, an IDE DVD drive,
Fast Ethernet, as well as USB for the gamepads. It
runs a simplified Windows 2000 kernel, and the
games include adapted versions of Win32, libc and
DirectX statically linked to them.
Although this sounds a lot more like a PC than, for
example, a GameCube with its PowerPC processor,
custom optical drive and custom gamepad connec-
tors, it is important to point out that, from a hard-
ware point of view, the Xbox shares all properties of
a PC: It has LPC, PCI and AGP busses, it has IDE
drives, it has a Northbridge and a Southbridge, and
it includes all the legacy PC features such as the
“PIC” interrupt controller, the “PIT” timer and the
A20 gate. nVidia sold a slightly modified South-
bridge and a Northbridge with a another graphics
core embedded for the PC market as the “nForce”
chipset between 2001 and 2002.
Motivation for the Security SystemThe Xbox being a PC, it should be trivial to install
Linux on it in order to have a cheap and, for that
time, powerful PC. Even today, a small and silent
733 MHz PC with TV connectivity for 149 USD/
EUR is still attractive. But this is not the only thing
Microsoft wanted to prevent. There are three uses
that should not have been possible:
•Linux: The hardware is subsidized and money is
gained with the games, therefore people should not
be able to buy an Xbox without the intent to buy
any games. Microsoft apparently feels that allow-
ing the Xbox to be used as a (Linux) computer
would be too expensive for them.
•Homebrew/Unlicensed: Microsoft wants the
software monopoly on the Xbox platform. Nobody
should be able to publish unlicensed software,
because Microsoft wants to gain money with the
games to amortize the hardware losses, and be-
cause they do not want anyone to release non-
Internet Explorer browsers and non-Windows Me-
dia Player multimedia software.
•Copies: Obviously it is important to Microsoft that
it is not possible to run copied games on the Xbox.
Microsoft decided to design a single security sys-
tem that was supposed to make Linux, homebrew/
unlicensed software and copies impossible. The idea
to accomplish this was by simply locking out all
software that is either not on the intended (original)
medium or not by Microsoft.
17 Mistakes Microsoft Made in the
Xbox Security SystemMichael Steil <[email protected]>
Xbox Linux Project http://www.xbox-linux.org/
